Archive for the ‘SSL’ Category

This article describes how to use an existing SSL for use with Stash. The process involves converting the certificate using OpenSSL, importing it into the Java keystore, and then updating the Stash configuration to utilize it.

You will be prompted for two passwords. Make sure to enter the same password for both and make note of this for later. If keytool is not recognized as a valid command you will have to change directories to the Java JRE bin directory.

5. Edit the Server.xml file located in the “conf” directory of your Stash installation directory. Anywhere before the ending tab enter the following:

Sometimes when using a wildcard SSL or Unified Communications Certificate (UCC) it is necessary to add multiple https host headers for a single IP. Unfortunately the IIS 7 GUI does not allow you to set a host header on a https binding however this can be achieved using the “appcmd” command.

1. First bind the certificate to one site as normal by adding the https binding through the IIS GUI.

2. Open a command prompt and navigate to C:\Windows\System32\Inetsrv\ using the command below:
cd C:\Windows\System32\Inetsrv\

3. Enter the following command to manually set the binding bearing in mind the notes below:
appcmd set site /site.name:"SiteNameInIIS" /+bindings.[protocol='https',bindingInformation='IP.Add.re.ss:443:www.example.com']

Make sure to change the following values on the command above accordingly:

SiteNameInIIS: The site name exactly how it appears in IIS. For instance “example.com”.

IP.Add.re.ss: The IP used by the site.

www.example.com: The desired hostname. Note in most cases there will be one for www and non-www.

Sometimes when working with an untrusted third party root certificate Windows will automatically delete it. If Windows finds a discrepancy with an intermediate certificate on the server it will check it against their own list of approved SSL’s. If it does not match windows will remove it and log the following in the application log:
Event ID: 4108
Successful auto delete of third-party root certificate

In a Linux environment OpenSSL provides an easy way to un-encrypt this:

openssl rsa -in server.key.secure -out server.key

Make sure to replace “server.key.secure” with the filename of your encrypted key, and “server.key” with whatever you want the un-encrypted filename to be. If you are prompted for a passphrase whoever made the key specified one. Unfortunately you will not be able to decrypt the key without the correct passphrase.